But the new laws --- the Regulation, which governs data rules for European citizens --- and the Directive, which governs how law enforcement can use your data --- do appear to protect against one controversial legal tool: U.S. National Security Letters.

While super-injunctions only apply to the UK, the U.S. has a similar tool to prevent citizens from speaking about a certain something, or to even mention that there is a 'gagging order' in place. Frankly, it is odd, seeing as the U.S. has constitutionally-bound freedom of speech laws, while the UK doesn't.

NSLs are often invoked alongside other legislation, such as the Patriot Act or FISA, both of which can reach outside of the U.S.' jurisdiction. It means data on a person can be requested by a U.S. government agency to another U.S. company, or even a U.S.-owned but EU-based company, and have data handed back. And, because the gagging order prevents the disclosure of such data, the subject of the data is never informed.

Forbeshighlighted that the new European data laws would prevent the non-disclosure of data, but failed to explain why exactly. It did note that Google receives around 1,000 such requests every month from U.S. government agencies, so NSLs are used a great deal, not only by giants like Google but others also.

1. The data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed, the controller shall provide the following information:

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data are to be or have been disclosed, in particular to recipients in third countries

1. Member States shall provide for the right of the data subject to obtain from the controller confirmation as to whether or not personal data relating to them are being processed. Where such personal data are being processed, the controller shall provide the following information:

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data have been disclosed, in particular the recipients in third countries;

Effectively, both the Regulation and the Directive say that the person whose data is subject to the request must be informed if law enforcement of a third-country wants access to it. The data ultimately belongs to the person, therefore anyone outside the European Union who wants it must ask.

It does not mean that the person will know what law enforcement wants with it --- although, had they been doing something illegal, it might be a giveaway --- but they will be informed at very least that a law enforcement agency wants their data.

Three things to note:

Firstly, is that these proposals are merely in draft form and have yet to be rubber-stamped by the European Parliament. Secondly, the language is vague and does not clearly mention U.S. law, but also leaves it open to protecting European citizens against other third-country laws. Thirdly, this only applies to EU-based companies with links or ownership to the United States.

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.